How to protect your business from fraud using Xero

21 October, 2020
Meryl Johnston

Meryl Johnston

7 minutes

If you spot any of these fraud red flags, follow these 7 steps to protect your business’ finances.  

Did you know that the typical business loses 5% of revenue each year to fraud, according to a recent Association of Certified Fraud Examiners Report?

For many eCommerce entrepreneurs, hiring someone to manage their accounting is a great move. 

However, if you are naive or don’t have proper systems and processes in place, you could be opening yourself up to fraud.  

It takes time and effort to recover the money stolen by perpetrators, and many organizations are never able to fully do so.

In this post, we’re sharing tips to help protect your eCommerce business from fraud, including: 

What exactly is fraud?

According to Queensland Police’s Your guide to stopping Employee fraud, they define fraud as any, “behavior that is deceptive, dishonest, corrupt or unethical. For fraud to exist, there needs to be an offender, a victim and an absence of control or safeguards.”

In one case reported in 2011, a contract bookkeeper working for a group of direct sales companies siphoned $891,000 into her possession. She used the money on luxury goods and to pay back her mother’s gambling debts. (source: Smartcompany)

Does fraud happen with eCommerce businesses? Yes it does. Here’s a cautionary tale:

Why does fraud happen?

As much as we like to believe that all people are inherently good, that’s not the case. When it comes to our business’s finances, we need to put a few fail-saves in place.

For fraud to occur, there needs to be both opportunity and motivation for the offender.

Business owners might not be able to control the motivations of the offender, for example gambling debts, but they can limit the opportunity.  Being aware of the risks and setting in place controls and safeguards will help to prevent fraud.

The risks dramatically increase when responsibility for the entire bookkeeping / finance function is handled by only one person — especially where the staff member has full access to the bank account and accounting software without another staff member involved.

What’s the potential impact of fraud?

In simple terms, if someone (other than you) has full access to your bank account, they could take everything in that bank account.

Some examples of fraudulent scenarios are:

  • somebody in charge of purchasing pays themselves by creating fraudulent or duplicated invoices for commonly purchased items.
  • the person in charge of payroll creates fake employees and pays themselves
  • somebody in charge of invoicing, changes the invoice bank account details to their own and then credits the invoice

Any of these scenarios could cause enough of a cash flow problem to force you out of business.

What are some fraud red flags? 

Here are a few red flags to be aware. 

  • Your bookkeeper requests or has full access to your bank accounts and can make payments without a 2nd signature.  
  • You (or another manager) are not involved in approving invoices for payment before they are paid. 
  • There is one bookkeeper (internal or external) doing the whole accounting function. (As an added layer of protection, you want to have a separation between the person entering bills in Xero and creating invoices, and the person who is reconciling bank transactions.)
  • You are seeing unexpected spikes in expenses or asset purchases.

7 steps to protect yourself from fraud (using Xero).

Step 1 – Restrict access to authorize payments in bank accounts

Make sure to restrict access to authorizing payments from within your bank account to only a few people, and require a 2nd signature to authorize payments.

For example, you can still have your bookkeeper set up the payment in the bank, but it is worth thinking about whether they should have the ability to approve payments.

Step 2 – Invoices are approved by the purchaser before they are paid

A lack of approval process in place for invoices can spell trouble for your business.

How does your bookkeeper know whether the goods and services were received to the required standard, for each invoice? Often they won’t, especially as the business grows and there are more people making purchases. To avoid paying for goods / services that haven’t been received, the invoice should be ‘approved’ to indicate it can be paid.

The process in Xero looks like this:

  1. Bills are entered in Xero and sit in ‘Awaiting Approval’
  2. Once the bill has been approved it moves to ‘Awaiting Payment’
  3. Batch payments are created from invoices in the Awaiting Payment area
  4. The batch payment file is uploaded to online banking
  5. The payment file is approved in online banking
invoices are approved by the purchaser in Xero before they are paid

Click the green ‘approve’ button to approve the purchase ready for payment.

In some small businesses the business owner will be approving purchases for payment in Xero and also authorising payment in internet banking.

As a small business grows, the approval of purchases is often delegated to project managers or team leaders. However, as the business owner, it is usually a smart idea to retain control of authorizing payments. 

Step 3 – Restrict access to changing bank account details in Xero

If you are using the batch payment function in Xero, then changes to bank account details in Xero can expose you to the risk of fraud.

Luckily, Xero provides a way for you to restrict access to changing bank account details.  

Be mindful of who has access to change supplier and employee bank account details in Xero.  

Also make sure to review changes made to bank account details regularly (explained in more detail in Step 6 the Assurance Dashboard).

How to implement this in Xero:

Restrict access to changing bank account details in Xero

Step 4 – Split out the accounting and payment functions

Instead of having one person responsible for every aspect of a role, split the responsibilities among multiple people.

According to an article published by the Association of Certified Fraud Examiners, Small business fraud and the trusted employee: protecting against unique vulnerabilities:

Small businesses are particularly vulnerable to fraud because they lack the resources to implement complete systems of internal controls and properly segregate accounting duties among their limited employees.

Therefore, accounting personnel may be tasked with completely inappropriate job functions that provide easy opportunities for committing financial fraud. Furthermore, the business cultures of small businesses are developed around a concept of a “trusted family” of employees.

Consequently, placing trusted employees in positions without proper internal controls doesn’t appear to be an unreasonable decision to managers of a “family” business.

In order to prevent this, we recommend that business owners separate the roles of the person completing bank reconciliations and the person raising invoices or paying bills.  You could do this by having an internal admin staff member raise invoices and bills in Xero and then use a separate person / business like Bean Ninjas to complete the reconciliations.

Step 5 – Regularly review your Profit and Loss statement and Balance Sheet

A monthly review of your P&L and Balance Sheet should help to identify unexpected purchases.  

Before reviewing your monthly reports make sure to set your own expectations about what you are expecting to see in the reports.  If you purchased new computers for the team then you would expect to see that reflected in the accounts.

If you see an unexpected increase in assets this month then look into this account to understand why.

Step 6 – Review the ‘Assurance Dashboard’ in Xero

The assurance dashboard in Xero is a great place for your accountant to help you review usual activity within your Xero.

You could review the ‘contacts whose bank accounts have been edited’ section to see where bank account details have been changed.

Review the ‘Assurance Dashboard’ in Xero

Step 7 – Run regular financial audits to protect against fraud

We recommend running audit reports every 6 months to identify any unexpected transactions or unauthorized use of your accounting software.

If you have any concerns, here is a simple approach to cross-check your vendor and employee files to see if perhaps an employee has set up a fictitious vendor.

Try comparing your supplier details with your employee file across the following variables:

  • Address
  • Phone Number
  • Bank Account Number

If there are multiple suppliers with the same details as your employees you might need to do some further investigation.

Pro Tip: Looking for additional tips to prevent fraud? Watch this free webinar. 


Preventing fraud is a case of maintaining some level of control with your business finances and implementing the following safeguards:

  1. Restrict access to authorizing payments from within your bank account to a few key people and require dual signatories to authorize payments
  2. Ensure that invoices are approved by the purchaser before they are paid.
  3. Restrict access to changing bank account details in Xero.
  4. Create a separation of duties between the role of the person completing bank reconciliations and the person raising invoices or paying bills.
  5. Regularly review your Profit and Loss and Balance Sheet and make sure the figures are inline with your expectations
  6. Ask your accountant to review the ‘Assurance Dashboard’ in Xero
  7. Run regular financial audits.

Are you set up in Xero to protect yourself against fraud? Make sure to follow our steps above.

Want help putting this advice into action or looking for an eCommerce accountant and bookkeeper that has your best interest in mind? Schedule a free call with a Bean Ninjas team member today.

Xero eCommerce Toolkit

Posted By

Meryl Johnston

Meryl Johnston

Meryl is a Chartered Accountant, entrepreneur and surfer! Prior to Bean Ninjas she ran a cloud accounting consulting firm, worked in both commercial accounting roles, as an auditor (BDO), and as a lecturer in accounting and audit.

Related Articles